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Annex C 

Guidance about the issue of monetary penalties 

Introduction 




Information Commissioner's Office 



Under sections 55A and 55B of the Data Protection Act 1998 (the "Act"), 
introduced by the Criminal Justice and Immigration Act 2008, the Information 
Commissioner (the "Commissioner") may, in certain circumstances, serve a 
monetary penalty notice on a data controller. 

A monetary penalty notice is a notice requiring a data controller to pay a monetary 
penalty of an amount determined by the Commissioner and specified in the 
notice. The amount of the monetary penalty determined by the Commissioner 
must not exceed £500,000. The monetary penalty is not kept by the 
Commissioner, but must be paid into the Consolidated Fund owned by HM 
Treasury. 

The Commissioner may impose a monetary penalty notice if a data controller has 
seriously contravened the data protection principles and the contravention was of 
a kind likely to cause substantial damage or substantial distress. In addition the 
contravention must either have been deliberate or the data controller must have 
known or ought to have known that there was a risk that a contravention would 
occur and failed to take reasonable steps to prevent it. 

The power to impose a monetary penalty notice is part of the Commissioner's 
overall regulatory regime which includes the power to serve an enforcement 
notice under section 40 of the Act and the power to carry out an Assessment 1 . It 
will be used as both a sanction and a deterrent against non-compliance with the 
statutory requirements. 

The Commissioner may still serve an enforcement notice in relation to the same 
contravention if he is satisfied that positive steps need to be taken by a data 
controller for compliance with the data protection principle(s) in question to be 
achieved. 

The Commissioner's underlying objective in imposing a monetary penalty notice is 
to promote compliance with the Act. The possibility of a monetary penalty notice 
should act as an encouragement towards compliance, or at least as a deterrent 
against non-compliance, on the part of all data controllers. 

It is clear from the wording of sections 55A and 55B of the Act that a monetary 
penalty notice will only be appropriate in the most serious situations. Therefore in 
such cases the monetary penalty must be sufficiently meaningful to act both as a 
sanction and also as a deterrent to prevent non-compliance of similar seriousness 
in the future by the contravening data controller and by other data controllers. 



1 An Assessment is an assessment made, with the consent of a data controller, as to whether the data 
controller's processing of personal data follows good practice - Section 51(7) of the Act. 
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This applies both in relation to the specific type of contravention and other 
contraventions more generally. 

The Commissioner will take into account the sector (for example, whether the data 
controller is a voluntary organisation), the size, financial and other resources of a 
data controller before determining the amount of a monetary penalty. The 
purpose of a monetary penalty notice is not to impose undue financial hardship on 
an otherwise responsible data controller. 

At the same time the Commissioner considers that the proper handling of 
personal data in accordance with the Act should not be seen as an extra 
requirement for businesses. Compliance with the Act is an integral part to the 
carrying out of any business activity. 

Monetary penalty notices are only designed to deal with serious contraventions of 
the data protection principles. At the same time there may be wide variations in 
the amount of the monetary penalty depending on the circumstances of each 
case. Minor contraventions may be subject to other enforcement procedures. 

The Commissioner is committed to acting consistently, proportionately and in 
accordance with public law. Essentially, the Commissioner will use this power as 
a sanction against a data controller who deliberately or negligently disregards the 
law. However, it does not change his commitment to provide guidance simplifying 
the Act where possible and making it easier for organisations to comply with their 
obligations under the Act. 

This is the statutory guidance issued under the Act. This means that the guidance 
has been approved by the Secretary of State and laid before Parliament. This 
guidance must, in particular, deal with the circumstances in which the 
Commissioner would consider it appropriate to issue a monetary penalty notice 
and how he will determine the amount of the monetary penalty. 

It should be read in conjunction with the Data Protection (Monetary Penalties) 
(Maximum Penalty and Notices) Regulations 2010 and the Data Protection 
(Monetary Penalties) Order 2010. 

The Commissioner will consider altering or replacing this guidance in the way 
provided for in the Act in the light of experience of its application. Any such 
altered or replaced guidance must be approved by the Secretary of State and will 
then be published on the Commissioner's website. 
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For ease of reference this guidance is divided into the following sections: 



Section 1 


Brief overview 


Section 2 


Power to impose a monetary penalty 


Section 3 


Circumstances in which the Commissioner would consider it 
appropriate to issue a monetary penalty notice 


Section 4 


How the Commissioner will determine the amount of a monetary 
penalty together with the factors he will take into account when 
making such a decision 


Section 5 


Notice of Intent 


Section 6 


Provision for a data controller to make representations to the 
Commissioner before a final decision is made 


Section 7 


Monetary penalty notice 


Section 8 


Right of appeal against monetary penalty notice 
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1 Brief overview (see figure A below) 

As a starting point the Commissioner will satisfy himself, by means of an 
investigation or otherwise, that he has the power to impose a monetary penalty in 
that there has been a serious contravention of the data protection principles and 
that the other statutory requirements apply (see section 2 below). 

He will then consider whether, in the circumstances, it would be appropriate to 
issue a monetary penalty notice on a data controller (see section 3 below) and, if 
so, determine the amount of a monetary penalty (see section 4 below). 

The Commissioner must initially serve a notice of intent on a data controller if he 
proposes to serve a monetary penalty notice. The notice of intent will set out the 
proposed amount of the monetary penalty (see section 5 below). 

The notice of intent will also inform the data controller that he may make written 
representations in relation to the Commissioner's proposal within a certain period 
of time (see section 6 below). 

The Commissioner may then serve a data controller with a monetary penalty 
notice requiring the data controller to pay a monetary penalty of an amount 
determined by the Commissioner and specified in the notice (see section 7 
below). A monetary penalty notice can be varied or cancelled by the 
Commissioner. 

A data controller on whom a monetary penalty notice is served may appeal to the 
Tribunals Service against the issue of the variation notice, the monetary penalty 
notice and/or the amount of the penalty specified in the notice (see section 8 
below). 
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Figure A 
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Note: 

*The Commissioner may after the issue of a Monetary Penalty Notice (MPN) vary or 

cancel that MPN by written notice. 
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2 Power to impose a monetary penalty 

The Act applies to the whole of the UK. It does not apply retrospectively therefore 
monetary penalty notices will only be used in respect of contraventions occurring 
on or after 6 April 2010. 

Except for the Crown Estate Commissioners or a person who is a data controller 
by virtue of section 63(3) of the Act, the power to apply monetary penalties applies 
to all data controllers in the private, public and voluntary sectors including, but not 
limited to: large companies; small businesses; sole traders; charitable bodies; 
voluntary organisations; Government Departments; and office holders created by 
statute such as electoral registration officers. 

A monetary penalty notice cannot be imposed on a person who is not a data 
controller, for example, a bank employee or a Crown Servant such as a member 
of the Armed Forces or a volunteer for a charity. Nor can a monetary penalty be 
imposed on a data processor where processing of personal data is carried out on 
behalf of a data controller or against an individual who processes personal data 
for domestic purposes. 

The Commissioner will not impose a monetary penalty if to do so would result in 
the Commissioner acting inconsistently with any of his statutory or public law 
duties. Nor will the Commissioner impose a monetary penalty if the contravention 
was discovered in the process of the Commissioner carrying out an Assessment 
on a data controller who has provided prior consent or following compliance with 
an Assessment Notice served under section 173 of the Coroners and Justice Act 
2009. 

As a general rule a data controller with substantial financial resources is more 
likely to attract a higher monetary penalty than a data controller with limited 
resources for a similar contravention of the data protection principles. It is not 
possible to provide specific examples at this early stage until actual cases present 
themselves. However, when precedents are available from either the monetary 
penalty notices served by the Commissioner or the decisions of the Tribunals, 
further guidance will be produced so that a data controller can better assess its 
position. 

As a starting point the Commissioner will satisfy himself that he has the power to 
impose a monetary penalty in that there has been a serious contravention of the 
data protection principles by a data controller and that the other statutory 
requirements apply. See figure B below. 
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Figure B 



Q1. Is there a serious contravention of section 4(4) of the Act 
by a data controller? 



And 



Q2. Is the contravention of a kind likely to cause substantial 
damage or substantial distress? 



Q3. Is the 

contravention 

deliberate? 

If the answer is yes 
to all of these 
questions the 
Commissioner has 
the power to 
impose a monetary 
penalty 



Either 



Or 



Q3. Did the data controller know 
or should he have known that 
there was a risk that the 
contravention would occur and 
of a kind likely to cause 
substantial damage or 
substantial distress? 

Q4. Were no reasonable steps 
taken to prevent the 
contravention? 

If the answer is yes to all of 
these questions the 
Commissioner has the power to 
impose a monetary penalty 



2.1 To reiterate, the Commissioner has to be satisfied that - 

a) There has been a serious contravention of section 4(4) of the Act by the 
data controller; and 

b) The contravention was of a kind likely to cause substantial damage or 
substantial distress; and either, 

c) The contravention was deliberate; or, 

d) The data controller knew or ought to have known that there was a risk that 
the contravention would occur, and that such a contravention would be of a 
kind likely to cause substantial damage or substantial distress, but failed to 
take reasonable steps to prevent the contravention. 
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Commissioner's interpretation of section 55A of the Act 

What will constitute a serious contravention? 

The Commissioner will take an objective approach in considering whether there 
has been a serious contravention of the data protection principles. The 
Commissioner will aim to reflect the reasonable expectations of individuals and 
society and ensure that any harm is genuine and capable of explanation. It is 
possible that a single breach of a data protection principle may be sufficient to 
meet this threshold. 

Examples - serious contravention 

The failure by a data controller to take adequate security measures (use of 
encrypted files and devices, operational procedures, guidance etc.) resulting in 
the loss of a compact disc holding personal data. 

Medical records containing sensitive personal data are lost following a security 
breach by a data controller during an office move. 

What does the Commissioner mean by the term substantial? 

The likelihood of damage or distress suffered by an individual will have to be 
considerable in importance, value, degree, amount or extent. The Commissioner 
will assess both the likelihood and the extent of the damage or distress as 
objectively as possible. In assessing the likelihood of damage or distress suffered 
by an individual the Commissioner will consider whether the damage or distress is 
merely perceived or of real substance. 

Example - substantial 

Inaccurate personal data held by an ex-employer is disclosed by way of an 
employment reference resulting in the loss of a job opportunity for an individual. 

What is meant by the term damage? 

Damage is any financially quantifiable loss suffered by an individual such as loss 

of profit or earnings, or other things. 

Example - damage 

Following a security breach by a data controller financial data is lost and an 
individual becomes the victim of identity fraud. 

What is meant by the term distress? 

Distress is any injury to feelings, harm or anxiety suffered by an individual. 

Example - distress 

Following a security breach by a data controller medical details are stolen and an 
individual suffers worry and anxiety that his sensitive personal data will be made 
public even if his concerns do not materialise. 
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What will constitute a deliberate contravention? 
See section 3.3 below. 

Example - deliberate 

A marketing company collects personal data stating it is for the purpose of a 
competition and then, without consent, knowingly discloses the data to populate a 
tracing database for commercial purposes without informing the individuals 
concerned. 

What is meant by the term knew or ought to have known? 

The Commissioner considers that this means a data controller is aware or should 
be aware of a risk that a contravention will occur. The test is objective and the 
Commissioner will expect the standard of care of a reasonably prudent data 
controller. 

See section 3.3 below. 

Example - knew or ought to have known 

A data controller is warned by its IT department that employees are accessing 
sensitive personal data but fails to carry out a risk assessment or implement a 
policy of encrypting all laptops and removable media as appropriate. 

What are the reasonable steps the Commissioner expects the data controller to 
take? 

The Commissioner is more likely to consider that the data controller has taken 
reasonable steps to prevent the contravention if any of the following apply: 

a) The data controller had carried out a risk assessment or there is other 
evidence (such as appropriate policies, procedures, practices or processes 
in place or advice and guidance given to staff) that the data controller had 
recognised the risks of handling personal data and taken steps to address 
them; 

b) The data controller had good governance and/or audit arrangements in 
place to establish clear lines of responsibility for preventing contraventions 
of this type; 

c) The data controller had appropriate policies, procedures, practices or 
processes in place and they were relevant to the contravention, for 
example, a policy to encrypt all laptops and removable media in relation to 
the loss of a laptop by an employee of the data controller; 

d) Guidance or codes of practice published by the Commissioner or others 
and relevant to the contravention were implemented by the data controller, 
for example, the data controller can demonstrate compliance with the BS 
ISO/IEC 27001 standard on information security management. 
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This list is not exhaustive and the Commissioner will consider whether the data 
controller has taken reasonable steps on a case by case basis. In doing so he will 
take into account the resources available to the data controller but this alone will 
not be a determining factor. 

Example - reasonable steps 

In relation to a security breach the data controller rectifies a flaw in his computer 
systems as soon as he practicably could have done. 
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3 Circumstances in which the Commissioner may consider it 

appropriate to issue a monetary penalty notice 

3.1 The Commissioner will not impose a monetary penalty if to do so would 
result in the Commissioner acting inconsistently with any of his statutory 
duties. Nor will the Commissioner impose a monetary penalty if the 
contravention was discovered in the process of the Commissioner carrying 
out an Assessment on a data controller who has provided prior consent or 
following compliance with an Assessment Notice served under section 41A 
of the Data Protection Act 1998 as inserted by section 173 of the Coroners 
and Justice Act 2009. 

3.2 The Commissioner will seek to ensure that the imposition of a monetary 
penalty is appropriate and the amount of that penalty is reasonable and 
proportionate, given the particular facts of the case and the underlying 
objective in imposing the penalty. 

3.3 In deciding whether it is appropriate to impose a monetary penalty and in 
determining the amount of that monetary penalty, the Commissioner will 
take full account of the particular facts and circumstances of the 
contravention and of any representations made to him by the data 
controller. 

The presence of one or more of the following factors will make the 
imposition of a monetary penalty more likely: 

Seriousness of contravention 

• The contravention is or was particularly serious because of the nature of 
the personal data concerned. 

• The duration and extent of the contravention. 

• The number of individuals actually or potentially affected by the 
contravention. 

• The fact that it related to an issue of public importance. 

• The contravention was due to either deliberate or negligent behaviour on 
the part of the data controller. 

Likelihood of substantial damage or substantial distress 

• The contravention was of a kind more likely than not to cause substantial 
damage or substantial distress to one or more individual. 

Deliberate contravention 

• The contravention by the data controller was deliberate or premeditated. 
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• 



The data controller was aware of and did not follow specific advice 
published by the Commissioner or others and relevant to the 
contravention. 

The contravention followed a series of similar contraventions by the data 
controller and no action had been taken to rectify what had caused the 
original contraventions. 

Knew or ought to have known 



• 



• 



• 



• 



• 



• 



The likelihood of the contravention should have been apparent to a 
reasonably prudent data controller. 

The data controller had adopted a cavalier approach to compliance and 
failed to take reasonable steps to prevent the contravention, for example, 
not putting basic security provisions in place. 

The data controller had failed to carry out any sort of risk assessment and 
there is no evidence, whether verbally or in writing, that the data controller 
had recognised the risks of handling personal data and taken reasonable 
steps to address them. 

The data controller did not have good corporate governance and/or audit 
arrangements in place to establish clear lines of responsibility for 
preventing contraventions of this type. 

The data controller had no specific procedures or processes in place which 
may have prevented the contravention (for example, a robust compliance 
regime or other monitoring mechanisms). 

• Guidance or codes of practice published by the Commissioner or others 
and relevant to the contravention, for example, the BS ISO/IEC 27001 
standard on information security management, were available to the data 
controller and ignored or not given appropriate weight. 

Other considerations 

• The need to maximise the deterrent effect of the monetary penalty by 
setting an example, where there are grounds for a penalty to be imposed, 
to other data controllers where it is necessary so as to counter the 
prevalence of such contraventions. 

• The data controller had expressly, and without reasonable cause, refused 
to submit to an Assessment which could reasonably have been expected to 
reveal a risk of the contravention. 
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3.4 The presence of one or more of the following factors will make the 
imposition of a monetary penalty by the Commissioner less likely: 

• The contravention was caused or exacerbated by circumstances outside 
the direct control of the data controller and the data controller had done all 
that it reasonably could to prevent contraventions of the Act. For example 
it had a contract in place with a data processor and had properly monitored 
the data processor's compliance with the contract. 

• The data controller has already complied with any requirements or rulings 
of another regulatory body in respect of the facts giving rise to the 
contravention (the Commissioner will endeavour to work closely with other 
regulators with a view to ensuring that multiple penalties are not imposed 
on a data controller for what is in effect a single failure). 



• 



There was genuine doubt or uncertainty that any relevant conduct, activity 
or omission in fact constituted a contravention of the Act. 



3.5 If the Commissioner considers that there are other factors, not referred to 
above, that are relevant to his decision whether it would be appropriate to 
impose a monetary penalty in a particular case, the Commissioner will 
explain what these are. Although there may not always be any other 
factors this provision allows the Commissioner to take into account 
circumstances that are not generally applicable but which are still relevant 
to the Commissioner's decision on whether or not to impose a monetary 
penalty in the case in question. 
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4 How the Commissioner will determine the amount of a monetary 

penalty 

4.1 Once it has been decided that a monetary penalty should be imposed, the 
Commissioner must then consider what would be the appropriate amount, 
given the circumstances of the case. Again, the Commissioner will have 
regard to the underlying objective as set out in the Introduction and to the 
general approach set out in paragraphs 3.1 to 3.3 above. 

4.2 A number of issues are likely to be relevant to the decision as to what 
would be an appropriate monetary penalty in a particular case. These 
issues will vary from case to case, but will be closely related to those 
determining whether to impose a penalty at all. One or more of the factors 
which may be relevant in some or all cases are described below. These 
factors are not exhaustive. 

Nature of the Contravention 



• 



• 



How serious the contravention was or is in terms of the nature of the 
personal data concerned and the number of individuals actually or 
potentially affected. 

Whether the contravention was a "one-off or part of a series of similar 
contraventions. 

• Whether the contravention was caused or exacerbated by activities or 
circumstances outside the direct control of the data controller, for example, 
a data processor or an errant employee. 

• The duration and extent of the contravention. 

• Whether guidance or codes of practice published by the Commissioner or 
others and relevant to the contravention were used by the data controller, 
for example, the BS ISO/IEC 27001 standard on information security 
management. 

The Effect of the Contravention 

Whether there was, may be or might have been substantial damage or substantial 
distress caused to individuals. 

Behavioural issues 



• 



What procedures or processes the data controller had in place to avoid the 
contravention (for example, the robustness of the data controller's 
compliance regime or other monitoring mechanisms). 

What steps, if any, had been taken to avoid the contravention. 
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• 



• 



What steps, if any, the data controller has taken once it became aware of 
the contravention (for example, concealing it, voluntarily reporting it to the 
Commissioner, or not taking action once the Commissioner or another 
body had identified a breach). 

The role of senior managers who would be expected to demonstrate higher 
standards of behaviour. 

Whether the data controller has been willing to offer compensation to those 
affected. 

Whether there has been any lack of co-operation or deliberate frustration, 
for example, failure to respond to the Commissioner's reasonable requests 
for information during the course of the investigation. 

Whether the data controller has expressly refused, and without reasonable 
cause, to submit to an Assessment which could reasonably have been 
expected to reveal a risk of the contravention. 

Impact on the Data Controller 



• 



• 



• 



• 



• 



• 



The Commissioner will aim to eliminate any financial gain or benefit 
obtained by the data controller from non-compliance with the Act. 

The Commissioner will take into account the sector, for example, whether 
the data controller is a voluntary organisation and also the size, financial 
and other resources of the data controller. 

Whether liability to pay the fine will fall on individuals and if so their status. 

The Commissioner will consider the likely impact of the penalty on the data 
controller, in particular financial and reputational impact. 

The Commissioner will take into account any proof of genuine financial 
hardship which may be supplied. The purpose of a monetary penalty 
notice is not to impose undue financial hardship on an otherwise 
responsible data controller. In appropriate cases the Commissioner will 
adjust the monetary penalty where, for example, a data controller made a 
loss in the previous year. 

Other considerations 

• If the Commissioner considers that a precedent or point of principle for 
other data controllers is relevant to a decision in a particular case, the 
Commissioner will explain that relevance. 

• If the Commissioner considers there are other factors, not referred to 
above, that are relevant in a particular case to his determination of the 
amount of the monetary penalty the Commissioner will explain what these 
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are. Although there may not always be any other factors this provision 
allows the Commissioner to take into account circumstances that are not 
generally applicable but which are still relevant to the Commissioner's 
determination of the amount of a monetary penalty in the case in question. 

4.3 Having considered the relevant factors in relation to the particular facts and 
circumstances of the contravention under consideration, the Commissioner 
will determine the level of the monetary penalty. 
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5 Notice of intent 

5.1 The amount of the monetary penalty determined by the Commissioner 
cannot exceed £500,000. Once the level of a monetary penalty has been 
determined, the Commissioner must serve the data controller with a notice 
of intent before he can issue a monetary penalty notice. The notice of 
intent will set out the proposed amount of the monetary penalty. 

5.2 A notice of intent must inform the data controller that he may 

make written representations in relation to the Commissioner's proposal 
within a period specified in the notice, and contain such other information 
as is prescribed in the Data Protection (Monetary Penalties)(Maximum 
Penalty and Notices) Regulations 2010. 

5.3 A notice of intent must contain the following information: 

(a) the name and address of the data controller; 

(b) the grounds on which the Commissioner proposes to serve a monetary 
penalty notice, including - 

(i) the nature of the personal data involved in the contravention; 

(ii) a description of the circumstances of the contravention; 

(iii) the reason the Commissioner considers that the contravention is 
serious; 

(iv)the reason the Commissioner considers that the contravention is of 
a kind likely to cause substantial damage or substantial distress; 
and 

(v) whether the Commissioner considers that section 55A(2) applies, or 
that section 55A(3) of the Act applies, and the reason the 
Commissioner has taken this view; 

(c) an indication of the amount of the monetary penalty the Commissioner 
proposes to impose and any aggravating or mitigating features the 
Commissioner has taken into account; and 

(d) the date on which the Commissioner proposes to serve the monetary 
penalty notice. 

5.4 The notice of intent must specify a period within which the data 
controller can make written representations to the Commissioner. This 
period must not be less than 21 days beginning with the first day after the 
date of service of the notice of intent. 
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6 Provision for a data controller to make representations to the 

Commissioner before a final decision is made 

6.1 The purpose of the notice of intent is to set out the Commissioner's 
proposal and enable the data controller to make its representations to the 
Commissioner's office. A data controller may wish to comment on the facts 
and views set out by the Commissioner in the notice of intent or to make 
general remarks on the case and enclose documents or other material 
such as details of their finances. For example, if a security breach was 
caused entirely by the actions of a data processor, the data controller may 
want to provide the Commissioner with a full explanation of the 
circumstances that led to the breach together with a copy of the contract 
between the data controller and the data processor and the steps taken by 
the data controller to ensure compliance with the security guarantees in the 
contract. A data controller should also inform the Commissioner if any 
confidential or commercially sensitive information should be redacted from 
a monetary penalty notice. 

6.2 The Commissioner must consider any written representations made in 
relation to a notice of intent when deciding whether to serve a monetary 
penalty notice. Following expiry of the period referred to in paragraph 5.4 
above, the Commissioner will take the following steps: 

a) reconsider the amount of the monetary penalty generally, and whether it is 
a reasonable and proportionate means of achieving the objective or 
objectives which the Commissioner seeks to achieve by this imposition; 

b) ensure that the monetary penalty is within the prescribed limit of £500,000; 
and 

c) ensure that the Commissioner is not, by imposing a monetary penalty, 
acting inconsistently with any of his statutory or public law duties and that a 
monetary penalty notice will not impose undue financial hardship on an 
otherwise responsible data controller. 

6.3 Having taken full account of any representations the data controller may 
wish to make and any other circumstances relevant to the particular 
case under consideration, the Commissioner will decide whether or not to 
impose a monetary penalty and, if so, determine an appropriate 

and proportionate monetary penalty. The monetary penalty should not be 
substantially different to the amount proposed in the notice of intent unless 
circumstances revealed since the issuing of the notice of intent, which the 
data controller has been given the opportunity to contradict, justify such a 
change. 

6.4 The Commissioner must either serve a monetary penalty notice or write to 
the data controller advising that no further action is to be taken in regard to 
the contravention specified in the notice of intent. However, this provision 
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does not affect the Commissioner's power to use other enforcement 
powers, such as issuing an enforcement notice, if the case merits it. 

6.5 The Commissioner may not serve a monetary penalty notice if a period of 6 
months has elapsed after the service of the notice of intent. 
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7 Monetary penalty notice 

7.1 The Commissioner may serve a monetary penalty notice on a data 

controller requiring the data controller to pay a monetary penalty of an 
amount determined by the Commissioner and specified in the monetary 
penalty notice. The monetary penalty notice must contain such information 
as is prescribed in the Data Protection (Monetary Penalties) (Maximum 
Penalty and Notices) Regulations 2010. 

7.2 A monetary penalty notice must contain the following information: 

(a) the name and address of the data controller; 

(b) details of the notice of intent served on the data controller; 

(c) whether the Commissioner received written representations following the 
service of the notice of intent; 

(d) the grounds on which the Commissioner imposes the monetary penalty, 
including- 

(i) the nature of the personal data involved in the contravention; 

(ii) a description of the circumstances of the contravention; 

(iii) the reason the Commissioner is satisfied that the contravention is 
serious; 

(v) the reason the Commissioner is satisfied that the contravention is of 
a kind likely to cause substantial damage or substantial distress; 
and 

(v) whether the Commissioner is satisfied that section 55A(2) applies, or 
that section 55A(3) applies, and the reason the Commissioner is so 
satisfied; 

(e) the reasons for the amount of the monetary penalty including any 
aggravating or mitigating features the Commissioner has taken into 
account when setting the amount; 

(f) details of how the monetary penalty is to be paid; 

(g) details of, including the time limit for, the data controller's right of appeal 
against: 

(i) the imposition of the monetary penalty, and 
(ii) the amount of the monetary penalty; and 

(h) details of the Commissioner's enforcement powers under section 55D. 
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7.3 The monetary penalty notice will be published on the Commissioner's 
website with any confidential or commercially sensitive information 
redacted. The monetary penalty must be paid to the Commissioner by 
BACS transfer or cheque within the period specified in the monetary 
penalty notice which will be a period of at least 28 calendar days beginning 
with the first day after the date of service of the monetary penalty notice. 
The monetary penalty is not kept by the Commissioner but must be paid 
into the Consolidated Fund which is the Government's general bank 
account at the Bank of England. 

Early payment discount 

7.4 If the Commissioner receives full payment of the monetary penalty within 
28 calendar days of the monetary penalty notice being served, the 
Commissioner will reduce the monetary penalty by 20%. 

Variation of a monetary penalty notice 

7.5 The Commissioner may serve a data controller with a variation notice. A 
variation notice is a notice that the Commissioner proposes to vary a 
monetary penalty notice. A variation notice must - 

a) identify the notice concerned; and 

b) specify how the notice is to be varied. 

The Commissioner may not vary a monetary penalty notice so as to increase 
the amount of the monetary penalty, or otherwise vary a monetary penalty 
notice to the detriment of the person on whom it was served. 

Where the Commissioner varies a monetary penalty notice so as to reduce the 
amount of the monetary penalty, the Commissioner must repay any amount 
that has already been paid that exceeds the amount of the reduced monetary 
penalty. 

Where the Commissioner varies a monetary penalty notice he may consider 
whether to extend the period of time by which the monetary penalty is to be 
paid. 

The Commissioner may not vary a monetary penalty notice so as to reduce the 
period of time by which the monetary penalty is to be paid. 

Any notice of variation of the monetary penalty notice will be published on the 
Commissioner's website with any confidential or commercially sensitive 
information redacted. 

A person on whom a variation notice is served may appeal to the Tribunal 
against the variation notice. 
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Enforcement of a monetary penalty notice 

7.6 The Commissioner must not take action to enforce a monetary penalty 
unless: 

(a) the period specified in the monetary penalty notice within which a monetary 
penalty must be paid has expired and all or any of the monetary penalty 
has not been paid; 

(b) all relevant appeals against the monetary penalty notice and any variation 
of it have either been decided or withdrawn; and 

(c) the period for the data controller to appeal against the monetary penalty 
and any variation of it has expired. 

7.7 In England, Wales and Northern Ireland, the penalty is recoverable by 
Order of the County Court or the High Court. In Scotland, the penalty can 
be enforced in the same manner as an extract registered decree arbitral 
bearing a warrant for execution issued by the sheriff court or any 
sheriffdom in Scotland. 

Cancellation of a monetary penalty notice 

7.8 The Commissioner can cancel a monetary penalty notice by serving a data 
controller with a cancellation notice. A cancellation notice is a notice that a 
monetary penalty notice ceases to have effect. A cancellation notice must- 

(a) identify the notice concerned; 

(b) state that the notice concerned has been cancelled; and 

Where a monetary penalty notice has been cancelled, the Commissioner 
may not take any further action under section 55A, 55B or 55D of the Act in 
relation to the contravention specified in that monetary penalty notice. 

Where a monetary penalty notice has been cancelled, the Commissioner 
will repay any amount that has been paid pursuant to that notice. 

Any notice of cancellation of the monetary penalty notice will be published 
on the Commissioner's website with any confidential or commercially 
sensitive information redacted. 
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8 Right of Appeal against monetary penalty notice 

8.1 A data controller on whom a variation notice or monetary penalty notice is 
served may appeal to the General Regulatory Chamber (First-tier Tribunal) 
against a variation notice or the issue of the monetary penalty notice and/or 
the amount of the penalty specified in the notice. Please refer to the 
Tribunals service website at http://www.tribunals.gov.uk/ for the appeals 
procedure. 
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